]> git.decadent.org.uk Git - nfs-utils.git/commitdiff
gssd: Look for user creds in user defined directory
authorSteve Dickson <steved@redhat.com>
Thu, 22 Mar 2012 15:02:46 +0000 (11:02 -0400)
committerSteve Dickson <steved@redhat.com>
Thu, 22 Mar 2012 15:07:23 +0000 (11:07 -0400)
The user credential cache currently is kept in /tmp.
In upcoming Kerberos release that will be moved to
/run/user/<username>/. This patch enables gssd to
look in both the old and new caches

Signed-off-by: Steve Dickson <steved@redhat.com>
utils/gssd/gssd.c
utils/gssd/gssd.h
utils/gssd/gssd_proc.c

index ccadb0777805dfd52d931e6fcc762769b97bb319..d53795e30fc472465d4fe1187e4ae443e7bf82ec 100644 (file)
@@ -57,7 +57,7 @@
 
 char pipefs_dir[PATH_MAX] = GSSD_PIPEFS_DIR;
 char keytabfile[PATH_MAX] = GSSD_DEFAULT_KEYTAB_FILE;
-char ccachedir[PATH_MAX] = GSSD_DEFAULT_CRED_DIR;
+char ccachedir[PATH_MAX] = GSSD_DEFAULT_CRED_DIR ":" GSSD_USER_CRED_DIR;
 char *ccachesearch[GSSD_MAX_CCACHE_SEARCH + 1];
 int  use_memcache = 0;
 int  root_uses_machine_creds = 1;
index 40f824cd19c2056f160c44764acb039a40df8f92..28a8206d95210190368e79a6acee70e8aa5a45d3 100644 (file)
@@ -45,6 +45,7 @@
 #define DNOTIFY_SIGNAL         (SIGRTMIN + 3)
 
 #define GSSD_DEFAULT_CRED_DIR                  "/tmp"
+#define GSSD_USER_CRED_DIR                     "/run/user"
 #define GSSD_DEFAULT_CRED_PREFIX               "krb5cc_"
 #define GSSD_DEFAULT_MACHINE_CRED_SUFFIX       "machine"
 #define GSSD_DEFAULT_KEYTAB_FILE               "/etc/krb5.keytab"
index a51dbaeba3d06e8414356573418bf02b36a15d6c..aa394359e27398fd3dfe25462ca2be177b7088d4 100644 (file)
@@ -918,6 +918,23 @@ int create_auth_rpc_client(struct clnt_info *clp,
        goto out;
 }
 
+static char *
+user_cachedir(char *dirname, uid_t uid)
+{
+       struct passwd *pw;
+       char *ptr;
+
+       if ((pw = getpwuid(uid)) == NULL) {
+               printerr(0, "user_cachedir: Failed to find '%d' uid"
+                           " for cache directory\n");
+               return NULL;
+       }
+       ptr = malloc(strlen(dirname)+strlen(pw->pw_name)+2);
+       if (ptr)
+               sprintf(ptr, "%s/%s", dirname, pw->pw_name);
+
+       return ptr;
+}
 /*
  * this code uses the userland rpcsec gss library to create a krb5
  * context on behalf of the kernel
@@ -932,7 +949,7 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname,
        gss_buffer_desc         token;
        char                    **credlist = NULL;
        char                    **ccname;
-       char                    **dirname;
+       char                    **dirname, *dir, *userdir;
        int                     create_resp = -1;
        int                     err, downcall_err = -EACCES;
 
@@ -975,7 +992,22 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname,
                                service == NULL)) {
                /* Tell krb5 gss which credentials cache to use */
                for (dirname = ccachesearch; *dirname != NULL; dirname++) {
-                       err = gssd_setup_krb5_user_gss_ccache(uid, clp->servername, *dirname);
+                       /* See if the user name is needed */
+                       if (strncmp(*dirname, GSSD_USER_CRED_DIR, 
+                                       strlen(GSSD_USER_CRED_DIR)) == 0) {
+                               userdir = user_cachedir(*dirname, uid);
+                               if (userdir == NULL) 
+                                       continue;
+                               dir = userdir;
+                       } else
+                               dir = *dirname;
+
+                       err = gssd_setup_krb5_user_gss_ccache(uid, clp->servername, dir);
+
+                       if (userdir) {
+                               free(userdir);
+                               userdir = NULL;
+                       }
                        if (err == -EKEYEXPIRED)
                                downcall_err = -EKEYEXPIRED;
                        else if (!err)